Practice CISM Information Security Risk Management questions with full explanations on every answer.
Start practicing
Information Security Risk Management — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A financial institution is implementing a new online banking platform. The risk assessment identified that the authentication module has a high likelihood of exploitation due to weak password policies. The risk owner has decided to implement multi-factor authentication (MFA) to reduce the risk. This is an example of which risk response strategy?
2An organization has a risk appetite that allows for a maximum residual risk level of 'medium' for all operational risks. A new project introduces a risk with inherent risk level 'high' and control effectiveness rated as 'partially effective'. The risk owner proposes to accept the risk. As the CISM, what is the best course of action?
3During a risk assessment, a CISM identifies that the organization's data backup process has a single point of failure. The backup server is located in the same data center as the primary server. Which risk response is most appropriate?
4A multinational corporation is assessing the risk of data breaches from third-party vendors. The CISM is tasked with selecting a risk treatment strategy. The organization has a low risk appetite for data breaches. Which strategy should be prioritized?
5In a risk assessment, a CISM calculates the annualized loss expectancy (ALE) for a specific threat. The single loss expectancy (SLE) is $50,000 and the annualized rate of occurrence (ARO) is 0.2. What is the ALE, and which risk response is most cost-effective if a control costs $12,000 per year and reduces ARO to 0.05?
6A company is evaluating its risk management process. The CISM notices that risks are being assessed based on qualitative scales (low, medium, high) but decisions require quantitative data. What is the most effective action to improve the process?
7Which TWO of the following are key components of an information risk management program, as defined by ISACA? (Select exactly two.)
8Which THREE of the following are valid risk treatment options according to ISO 31000? (Select exactly three.)
9Refer to the exhibit. A security analyst reviews the firewall configuration and identifies a potential risk. What is the most likely risk?
10Refer to the exhibit. A system administrator reviews the log and notices repeated failed SSH attempts from the same IP address. What is the most appropriate risk response?
11You are the CISM for a mid-sized e-commerce company that processes credit card transactions. The company recently experienced a security incident where an attacker exploited a vulnerability in the web application to gain access to the customer database containing payment card information. The incident response team contained the breach, but the root cause analysis revealed that the vulnerability had been identified in a penetration test six months ago but was not remediated due to competing priorities. The company's risk management framework defines risk appetite as 'moderate' for information security risks. The board is concerned and has asked you to recommend improvements to prevent recurrence. The company has a limited budget and cannot implement all possible controls. Current environment: web application developed in-house, hosted on-premises, with a mix of virtual and physical servers. The security team consists of three people responsible for monitoring, incident response, and vulnerability management. The development team follows an agile methodology with bi-weekly sprints. The company has cyber liability insurance that covers breach response costs up to $2 million. Based on this scenario, what is the most effective course of action?
12An organization has implemented a new web application that processes sensitive customer data. The risk assessment identified a high likelihood of SQL injection attacks due to insufficient input validation. Which of the following is the BEST risk treatment strategy?
13An organization is conducting a risk assessment for a new cloud-based HR system. Which THREE of the following are key considerations when evaluating the inherent risk?
14Based on the exhibit, what is the MOST appropriate next step for the information security manager?
15A multinational corporation is migrating its on-premises data center to a hybrid cloud environment. The organization processes highly sensitive financial data subject to strict regulatory requirements (e.g., GDPR, SOX). During the risk assessment, the information security manager discovers that the cloud service provider (CSP) stores data in multiple geographic regions, some of which do not meet the organization's data residency requirements. Additionally, the CSP's encryption key management is not fully under the organization's control, and the incident response plan does not include specific procedures for cloud-based breaches. The organization's risk appetite is low, and the board has mandated that all risks must be mitigated to an acceptable level. Which of the following is the BEST course of action?
16Which of the following is the PRIMARY reason for an information security manager to integrate risk management into the organization's enterprise risk management (ERM) framework?
17During a risk assessment, an organization identifies a critical vulnerability in a legacy system that cannot be patched. The system's availability is crucial for business operations. Which of the following risk treatment strategies is MOST appropriate?
18Which of the following are key components of an Information Security Risk Management program? (Select TWO.)
19An organization has a high residual risk after implementing all feasible controls. According to CISM best practices, which of the following should the information security manager do? (Select TWO.)
20Match each risk assessment activity with the correct phase of the risk management lifecycle: Activities: 1. Identify assets and threats 2. Determine risk level 3. Select controls to reduce risk 4. Monitor risk over time Phases: A. Risk Assessment B. Risk Treatment C. Risk Monitoring D. Risk Communication (not used)
21A security manager is evaluating risk treatment options for a high-risk vulnerability. Drag each option to the correct risk treatment category. Options: - Apply a vendor patch - Purchase cyber insurance - Decommission the system - Accept the risk with formal sign-off - Install a WAF (Web Application Firewall) Categories: - Mitigate - Transfer - Avoid - Accept
22Which of the following is the PRIMARY purpose of an information security risk assessment?
23An information security manager has identified a risk with a high likelihood and high impact. The cost of mitigating the risk exceeds the potential loss. What is the MOST appropriate risk treatment strategy?
24During a risk assessment, a security manager discovers that the residual risk after implementing planned controls is still above the risk appetite threshold. What should the manager do NEXT?
25Which of the following are key components of an information security risk management program? (Select TWO)
26A security manager is presenting risk analysis results to the board. Which of the following should the manager include to effectively communicate risk? (Select THREE)
27Order the steps for implementing a security awareness training program.
28Order the steps for conducting an internal audit of an information security management system (ISMS) based on ISO 27001.
29Order the steps for implementing a data classification policy in an organization.
30Match each risk management term to its definition.
31Match each business continuity term to its definition.
32Match each cryptographic term to its description.
33An organization is determining the risk treatment for a critical business process that has a high inherent risk. Which of the following is the MOST effective risk treatment strategy when the cost to mitigate exceeds the potential loss?
34A security manager is conducting a risk assessment for a new cloud-based system. The system will store sensitive customer data. Which of the following should be the FIRST step in the risk assessment process?
35After a data breach, the risk manager discovers that the risk assessment for the affected system had not been updated for two years. The organization's risk management policy requires annual reviews. Which of the following is the MOST significant consequence of this noncompliance?
36A risk manager is presenting risk treatment options to senior management. Which of the following is the BEST approach to communicate risk in a way that supports informed decision-making?
37A company is implementing a risk management program and needs to define risk appetite. Which of the following is the MOST appropriate statement of risk appetite for a financial institution?
38During a risk assessment, the risk team identifies that a key vendor has access to sensitive data. The vendor's security posture is unclear. Which of the following is the BEST course of action?
39Which of the following best describes residual risk?
40A risk manager is evaluating a control that reduces the likelihood of a threat from high to low. The cost of the control is $100,000 annually. The expected loss without the control is $500,000 per year. Which of the following should the risk manager recommend?
41An organization's risk management policy requires a quantitative risk assessment for all new projects. The project team estimates that a data breach could occur once every 5 years with an average loss of $2 million. What is the annualized loss expectancy (ALE)?
42Which TWO of the following are key components of an information security risk assessment? (Choose two.)
43Which TWO of the following are valid risk treatment options according to ISO 31000? (Choose two.)
44Which THREE of the following are common challenges when implementing a risk management program in an organization? (Choose three.)
45A company is implementing a risk management program and needs to identify the most critical assets. Which of the following is the BEST approach to prioritize assets for risk assessment?
46During a risk assessment, an organization identifies that its legacy payment system has a high likelihood of exploitation due to unpatched vulnerabilities. The system is critical for daily operations. Which risk treatment option should the organization PRIMARILY consider?
47A multinational organization is evaluating its risk appetite for a new cloud-based customer relationship management (CRM) system. The system will store personal data across multiple jurisdictions with varying data protection laws. The risk committee has set a risk appetite statement that allows only low residual risk. Which of the following controls is MOST critical to ensure compliance with the risk appetite?
48An organization has recently experienced a data breach due to a misconfigured database. The root cause was a lack of proper change management. As part of the risk management process, what should the organization do NEXT after implementing corrective controls?
49A company is developing a risk treatment plan for a set of identified risks. One risk involves a third-party vendor that hosts critical data. The risk owner recommends accepting the risk. Which of the following conditions would BEST support this decision?
50An organization is implementing a quantitative risk analysis for a critical application. The asset value is $2,000,000. The exposure factor (EF) is 0.25, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?
51A risk assessment identifies that the organization's email system has a high likelihood of phishing attacks. The current controls include spam filtering and user awareness training. What should the organization do NEXT to manage this risk effectively?
52During a risk assessment, a company discovers that its data backup process is incomplete: backups are performed daily but stored onsite without encryption. The risk owner proposes to accept this risk due to low likelihood of a physical breach. Which of the following is the BEST reason to challenge this acceptance?
53An organization uses the ISO 31000 risk management framework. During the risk evaluation phase, it determines that a certain risk has a low likelihood but very high impact. The organization's risk appetite is moderate. Which of the following is the MOST appropriate risk treatment decision?
54Which TWO of the following are key components of a risk assessment report according to best practices? (Choose two.)
55Which THREE of the following are valid methods to identify information security risks? (Choose three.)
56Which TWO of the following are examples of risk mitigation controls? (Choose two.)
57A company is choosing a risk assessment methodology for a new cloud-based application. The CISO prefers a method that uses monetary values and numerical probabilities to compute annual loss expectancy. Which methodology should be selected?
58During a risk assessment, an organization identifies that a legacy system processes credit card data and has a high likelihood of being exploited. The cost to remediate the vulnerability is $500,000, while the potential loss from a breach is $2 million with a 30% annual probability. What is the most appropriate risk treatment decision based on this information?
59Which role is primarily responsible for ensuring that information security risks are identified, assessed, and managed within a business unit?
60An organization calculates that the single loss expectancy (SLE) for a server failure is $10,000, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?
61A company has a risk appetite that is 'low' for operational risks. A risk assessment recently identified that a high-speed trading platform has a residual risk rating of 'high' after controls are applied. The cost to further reduce the risk is $1 million, which exceeds the expected benefit. What is the most appropriate action for the risk owner?
62Which of the following best describes the difference between risk appetite and risk tolerance?
63After implementing controls, an organization reassesses a risk and finds that the residual risk level exceeds the established risk tolerance. What is the most appropriate next step?
64A security manager is preparing a risk report for the board of directors. Which of the following should be included to best support strategic risk-based decisions?
65Which of the following is the primary purpose of a Key Risk Indicator (KRI)?
66Which TWO of the following are common approaches to information security risk assessment?
67Which THREE of the following are essential components of an information security risk management framework?
68Which TWO of the following are valid risk response options?
69Which host should be prioritized for risk mitigation based on the vulnerability scan results?
70An employee emails a spreadsheet containing employee salaries to all staff by mistake. According to the exhibit, what is the minimum handling requirement that was violated?
71Which of the following is the most significant risk in this architecture?
72A financial institution is implementing a risk management program and needs to select a methodology that balances quantitative and qualitative factors, complies with regulatory requirements, and provides a consistent framework for risk assessment across business units. Which methodology would best meet these requirements?
73A data breach has occurred exposing customer personal information. The risk manager needs to select a response to reduce the likelihood of similar incidents. Which risk response is most appropriate?
74After implementing controls, the residual risk is calculated to be at a level that slightly exceeds the risk appetite. The business owner argues that the cost of further mitigation outweighs the benefit. What is the most appropriate action for the risk manager?
75A company is assessing the risk of a critical system outage. The system has a maximum tolerable downtime (MTD) of 2 hours, but the current recovery time objective (RTO) is 4 hours. What is the most appropriate risk treatment?
76A company engages a third-party vendor to process customer data. Which of the following is the most critical step in managing the associated risk?
77A risk manager is aggregating risks across the enterprise and finds that multiple individual risks, each with low impact and low probability, could combine to create a significant risk. What is the best approach to address this?
78An organization selects a control to mitigate a risk, but after implementation, the risk level remains unchanged. What should the risk manager do first?
79Which of the following is the primary purpose of communicating risk assessment results to senior management?
80A risk manager is establishing risk appetite for a new product line. Which of the following best describes the relationship between risk appetite and risk tolerance?
81Which TWO of the following are risk treatment strategies as defined in ISO 27005?
82Which TWO of the following are examples of key risk indicators (KRIs) for cybersecurity risk?
83Which THREE of the following are typical steps in a qualitative risk assessment?
84Based on the exhibit, which risk should be addressed first if the organization has limited resources?
85A multinational corporation is expanding its cloud infrastructure across multiple regions. The risk team has identified that the shared responsibility model for cloud security is not well understood by business units. After a recent audit, several misconfigurations led to a data exposure incident that affected one region. The CISO wants to implement a risk management program that ensures consistent control across all regions. As the risk manager, what is the most effective course of action to reduce the risk of similar incidents?
86A healthcare organization is merging with another entity and must integrate their IT systems. During due diligence, it is discovered that the acquired company has a high number of unpatched critical vulnerabilities in its electronic health record (EHR) system. The merger timeline is aggressive and the integration team wants to proceed as planned. As the risk manager, what is the best course of action?
87A financial institution is implementing a risk-based approach to prioritize its information security initiatives. The risk manager has completed a risk assessment and identified several risks with varying impact and likelihood. Which TWO of the following are the most important benefits of using the risk assessment results to determine the order of security projects?
88A small accounting firm with 50 employees recently suffered a ransomware attack that encrypted all client data on its file server. The firm had no backup strategy, and the attackers demanded a ransom for decryption. The firm paid the ransom, but many clients left due to loss of trust. The firm’s owner has now hired you as a part-time risk manager. Your first task is to develop a risk management program. What is the most appropriate initial step?
89A regional hospital is required to comply with the Health Insurance Portability and Accountability Act (HIPAA). During an internal audit, it was discovered that patient electronic health records (EHRs) are transmitted over the internet without encryption. The risk manager has been asked to recommend a risk treatment. Which action should be prioritized to address this finding?
90A large retail chain with hundreds of stores uses point-of-sale (POS) systems that run an outdated operating system. The annual risk assessment identified this as a high-risk issue because the OS is no longer patched and has known vulnerabilities. The business unit manager opposes replacing all POS systems immediately due to cost and potential disruption to operations. As the risk manager, you need to recommend a risk response that balances risk reduction with business continuity. Which strategy is most appropriate?
91A global financial services firm uses a Monte Carlo simulation model to quantify the potential financial impact of cyber events. The model inputs include historical loss data, threat intelligence, and control effectiveness. Over the past year, the model has consistently underestimated actual losses by an average of 40%. The risk manager suspects model risk but the quantitative team argues the model is peer-reviewed. The board is concerned about the accuracy of risk reporting. What is the best course of action for the risk manager?
92A technology startup has grown rapidly and its risk management practices are informal. The CEO has a very high risk appetite and frequently overrides risk management recommendations to accelerate product launches. After a serious data breach involving customer payment information, the board of directors demands a formal risk management program. The risk manager is tasked with changing the risk culture. The startup has limited resources but must meet contractual obligations to protect customer data. What is the most effective first step?
93An information security manager is implementing a risk management program. Which TWO of the following activities should be performed as part of the risk assessment process?
94Refer to the exhibit. Based on the risk register extract, which risk should the information security manager prioritize for additional treatment?
95A multinational financial services company is implementing a new regulatory requirement that mandates enhanced encryption for all customer data in transit. The organization currently uses TLS 1.2, but the regulation requires TLS 1.3. The risk owner for the data transmission system is the head of network operations, who believes the current controls are sufficient and argues that upgrading will cause significant downtime and cost. The information security manager has assessed the risk as high due to potential regulatory fines and reputational damage. The risk owner refuses to accept the risk and insists on deferring the upgrade. The organization has a risk appetite statement that accepts moderate residual risk only after explicit approval from the CRO. The escalation process involves the risk management committee. What is the BEST course of action for the information security manager?
The Information Security Risk Management domain covers the key concepts tested in this area of the CISM exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISM domains — no account required.
The Courseiva CISM question bank contains 95 questions in the Information Security Risk Management domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Information Security Risk Management domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included